Skip to main content
RobertN
RobertN
New Member
December 9, 2025
Question

IPsec Tunnel outbound traffic

  • December 9, 2025
  • 2 replies
  • 659 views

So I have an VPN tunnel with a client, which is UP, and I revive traffic from him but I cannot respond(I'll attach an image of the sniff)

 

Screenshot 2025-12-09 105300.pngTo explain it a bit i have 2 Fortigates, one for public IP's and exterior, where i have the Tunnel, and other for the internal subnets, where i have that subnet 192.168.2.0, and they are connected by that interface "INTERCONET-VPN" which is on port 2. From what i know i did everything for the Tunnel to work( firewall rules in and out, static route for their IP to be routed trough tunnel, nat is not enable for any of the subnets). 

This is a print of the tunnel if it helpsScreenshot 2025-12-09 112814.png

Do you have any ideas why this happens? 

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
December 9, 2025

hi,

make sure that on FGT-internal, you have a route back to 10.0.196.0/24 towards FGT-external and there's also a firewall rule on it that allows traffic from that network to 192.168.2.143.

"jack of all trades, master of none"
RobertN
RobertNAuthor
New Member
December 9, 2025

hi, so i added an route for 10.0.196.0/24 back to the first fortigate, and the firewall rules, but still no luck..

funkylicious
SuperUser
funkylicious
SuperUser
December 9, 2025

i would make a traffic capture on the local internal destination system and double check if the traffic reaches.

also, i would also start a capture on the internal FGT to see how it handles the traffic, not only on the FGT terminating the IPsec VPN.

"jack of all trades, master of none"
kaman
Staff
kaman
Staff
December 9, 2025

Hi RobertN,

From the attached sniffer, it looks like SYN packet was going out via INTERCONET-VPN but no response from the other side.

Could you please run the debug commands and share us the output with us to check further:

get router info routing-table details 10.0.196.21
get router info routing-table details 192.168.2.143
diag debug reset
diag debug flow filter addr 10.0.196.21
diag debug flow show function-name en
diag debug flow trace start 800
diagnose debug console timestamp enable
diag debug enable

++ Additionally, for testing, enable the NAT in the firewall policy (Tunnel-LAN) and then check the behaviour.

If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

RobertN
RobertNAuthor
New Member
December 9, 2025

Hi, I attached you 2 output, one before I enabled NAT between Tunnel and LAN, and one after.

BEFORE NAT

RSS-100F-2 # get router info routing-table details 10.0.196.21

Routing table for VRF=0
Routing entry for 10.0.196.0/24
Known via "static", distance 10, metric 0, best
* via TUNEL BT tunnel 194.145.238.254 vrf 0, tun_id

 

RSS-100F-2 # get router info routing-table details 192.168.2.143

Routing table for VRF=0
Routing entry for 192.168.2.0/24
Known via "bgp", distance 200, metric 0, best
Last update 1d00h44m ago
* vrf 0 10.0.0.6 priority 1 (recursive is directly connected, INTERCONET-VPN)

 

RSS-100F-2 # diag debug reset

RSS-100F-2 # diag debug flow filter addr 10.0.196.21

RSS-100F-2 # diag debug flow show function-name en
show function name

RSS-100F-2 # diag debug flow trace start 800

RSS-100F-2 # diagnose debug console timestamp enable

RSS-100F-2 # diag debug enable

RSS-100F-2 # 2025-12-09 15:03:32 id=65308 trace_id=3 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.1
96.21:12239->192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 166626669, ack 0, win 64240"
2025-12-09 15:03:32 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=6040 msg="Find an existing session, id-020d69c9, original dir
ection"
2025-12-09 15:03:32 id=65308 trace_id=3 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.1
96.255"
2025-12-09 15:03:32 id=65308 trace_id=3 func=npu_handle_session44 line=1238 msg="Trying to offloading session from TUNEL BT to INTERC
ONET-VPN, skb.npu_flag=00000000 ses.state=04010200 ses.npu_state=0x00000000"
2025-12-09 15:03:32 id=65308 trace_id=3 func=fw_forward_dirty_handler line=442 msg="state=04010200, state2=00000000, npu_state=000000
00"
2025-12-09 15:05:08 id=65308 trace_id=4 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12299->
192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 2198676979, ack 0, win 64240"
2025-12-09 15:05:08 id=65308 trace_id=4 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.1
96.255"
2025-12-09 15:05:08 id=65308 trace_id=4 func=init_ip_session_common line=6138 msg="allocate a new session-020e2765"
2025-12-09 15:05:08 id=65308 trace_id=4 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-10.0.0.6 via INTE
RCONET-VPN"
2025-12-09 15:05:08 id=65308 trace_id=4 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=9"
2025-12-09 15:05:08 id=65308 trace_id=4 func=fw_forward_handler line=992 msg="Allowed by Policy-25:"
2025-12-09 15:05:11 id=65308 trace_id=5 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12299->
192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 2198676979, ack 0, win 64240"
2025-12-09 15:05:11 id=65308 trace_id=5 func=resolve_ip_tuple_fast line=6040 msg="Find an existing session, id-020e2765, original dir
ection"
2025-12-09 15:05:11 id=65308 trace_id=5 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.1
96.255"
2025-12-09 15:05:11 id=65308 trace_id=5 func=npu_handle_session44 line=1238 msg="Trying to offloading session from TUNEL BT to INTERC
ONET-VPN, skb.npu_flag=00000000 ses.state=04010200 ses.npu_state=0x00000000"
2025-12-09 15:05:11 id=65308 trace_id=5 func=fw_forward_dirty_handler line=442 msg="state=04010200, state2=00000000, npu_state=000000
00"
2025-12-09 15:05:17 id=65308 trace_id=6 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12299->
192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 2198676979, ack 0, win 64240"
2025-12-09 15:05:17 id=65308 trace_id=6 func=resolve_ip_tuple_fast line=6040 msg="Find an existing session, id-020e2765, original dir
ection"
2025-12-09 15:05:17 id=65308 trace_id=6 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.1
96.255"
2025-12-09 15:05:17 id=65308 trace_id=6 func=npu_handle_session44 line=1238 msg="Trying to offloading session from TUNEL BT to INTERC
ONET-VPN, skb.npu_flag=00000000 ses.state=04010200 ses.npu_state=0x00000000"
2025-12-09 15:05:17 id=65308 trace_id=6 func=fw_forward_dirty_handler line=442 msg="state=04010200, state2=00000000, npu_state=000000
00"
2025-12-09 15:05:34 id=65308 trace_id=7 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12305->
192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 917245498, ack 0, win 64240"
2025-12-09 15:05:34 id=65308 trace_id=7 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.1
96.255"
2025-12-09 15:05:34 id=65308 trace_id=7 func=init_ip_session_common line=6138 msg="allocate a new session-020e5379"
2025-12-09 15:05:34 id=65308 trace_id=7 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-10.0.0.6 via INTE
RCONET-VPN"
2025-12-09 15:05:34 id=65308 trace_id=7 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=9"
2025-12-09 15:05:34 id=65308 trace_id=7 func=fw_forward_handler line=992 msg="Allowed by Policy-25:"
2025-12-09 15:05:37 id=65308 trace_id=8 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12305->
192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 917245498, ack 0, win 64240"
2025-12-09 15:05:37 id=65308 trace_id=8 func=resolve_ip_tuple_fast line=6040 msg="Find an existing session, id-020e5379, original dir
ection"
2025-12-09 15:05:37 id=65308 trace_id=8 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.1
96.255"
2025-12-09 15:05:37 id=65308 trace_id=8 func=npu_handle_session44 line=1238 msg="Trying to offloading session from TUNEL BT to INTERC
ONET-VPN, skb.npu_flag=00000000 ses.state=04010200 ses.npu_state=0x00000000"
2025-12-09 15:05:37 id=65308 trace_id=8 func=fw_forward_dirty_handler line=442 msg="state=04010200, state2=00000000, npu_state=000000
00"

AFTER NAT

 

RSS-100F-2 # diag debug enable

RSS-100F-2 # 2025-12-09 15:08:10 id=65308 trace_id=16 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12347->192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 2025385004, ack 0, win 64240"
2025-12-09 15:08:10 id=65308 trace_id=16 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.196.255"
2025-12-09 15:08:10 id=65308 trace_id=16 func=init_ip_session_common line=6138 msg="allocate a new session-020f655b"
2025-12-09 15:08:10 id=65308 trace_id=16 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-10.0.0.6 via INTERCONET-VPN"
2025-12-09 15:08:10 id=65308 trace_id=16 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=9"
2025-12-09 15:08:10 id=65308 trace_id=16 func=fw_forward_handler line=992 msg="Allowed by Policy-25:"
2025-12-09 15:08:13 id=65308 trace_id=17 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12347->192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 2025385004, ack 0, win 64240"
2025-12-09 15:08:13 id=65308 trace_id=17 func=resolve_ip_tuple_fast line=6040 msg="Find an existing session, id-020f655b, original direction"
2025-12-09 15:08:13 id=65308 trace_id=17 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.196.255"
2025-12-09 15:08:13 id=65308 trace_id=17 func=npu_handle_session44 line=1238 msg="Trying to offloading session from TUNEL BT to INTERCONET-VPN, skb.npu_flag=00000000 ses.state=04010200 ses.npu_state=0x00000000"
2025-12-09 15:08:13 id=65308 trace_id=17 func=fw_forward_dirty_handler line=442 msg="state=04010200, state2=00000000, npu_state=00000000"
diag debug enable2025-12-09 15:08:19 id=65308 trace_id=18 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 10.0.196.21:12347->192.168.2.143:32222) tun_id=194.145.238.254 from TUNEL BT. flag [S], seq 2025385004, ack 0, win 64240"
2025-12-09 15:08:19 id=65308 trace_id=18 func=resolve_ip_tuple_fast line=6040 msg="Find an existing session, id-020f655b, original direction"
2025-12-09 15:08:19 id=65308 trace_id=18 func=ipsec_spoofed4 line=245 msg="src ip 10.0.196.21 match selector 0 range 10.0.196.0-10.0.196.255"
2025-12-09 15:08:19 id=65308 trace_id=18 func=npu_handle_session44 line=1238 msg="Trying to offloading session from TUNEL BT to INTERCONET-VPN, skb.npu_flag=00000000 ses.state=04010200 ses.npu_state=0x00000000"
2025-12-09 15:08:19 id=65308 trace_id=18 func=fw_forward_dirty_handler line=442 msg="state=04010200, state2=00000000, npu_state=00000000"
enable disable

Terms & ConditionsAccessibility statement